Can't import a EC private key with ykcs11

Question

Can't import a EC private key with ykcs11

rvdgracht opened this issue 2 years ago · 4 comments

Hi,

Importing a EC private key with following command fails.
pkcs11-tool --module /usr/lib/libykcs11.so.2 --write-object privateKey00.der --id 5 -y privkey

Due to:
debug: yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:1386 (C_CreateObject): In
debug: yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:1510 (C_CreateObject): Importing private key
debug: yubico-piv-tool-2.3.0/ykcs11/objects.c:1669 (check_create_ec_key): Invalid 2
debug: yubico-piv-tool-2.3.0/ykcs11/objects.c:1850 (check_create_rsa_key): Invalid 2
debug: yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:1532 (C_CreateObject): Private key template not valid

object.c:check_create_ec_key() can't cope with the CKA_PRIVATE (2) attribute.

Maybe the recent change made in dd12a73 to check_create_rsa_key() should be applied to check_create_ec_key() as well?

Answer 1 · 2022-12-12T13:22:14.000Z

Would you mind sharing your commands to generate the key ? Thx

Answer 2 · 2022-12-12T13:52:32.000Z

I can reproduce the issue with a key generated with the following command:
openssl ecparam -name prime256v1 -genkey -noout -out privateKey00.der -outform DER

Answer 3 · 2022-12-12T14:18:56.000Z

OK, I see. That is fixed in the master branch, and will make it to the next release. If you can build from master you would be able to test immediately. Please note that you need to authenticate as SO to import keys (or any object).:
pkcs11-tool --module /usr/local/lib/libykcs11.so --write-object privateKey00.der --id 5 -y privkey -l --login-type so --so-pin 010203040506070801020304050607080102030405060708
The above is for the default adm key (SO PIN). Whatever key you set must be hex-encoded as above.

Answer 4 · 2023-01-08T13:04:31.000Z

Closing this issues as fixed